Risk Assessment

InfoSec and Legal Aspects

Risk assessment
Laws governing InfoSec
Privacy
Risk Assessment
Assigns a risk rating for each asset
Likelihood refers to the probability of a
known vulnerability being attacked
Likelihood of fire forecast from actuarial data
Likelihood of virus estimated from volume of
email handled and number of servers in use
Likelihood of a network attack estimated from
the number of network addresses in use
Risk Assessment
How to assign value to information assets?
NIST SP 800-30 contains parameters to check
Critical assets are assigned the value 100
Non-critical but essential asset gets the value 50
Least critical assets get the value 1
What factors to look for in valuation?
Which threats present a danger?
Which threats present a significant danger?
Cost to recover from an attack
Threats that require maximum cost to prevent
Risk Assessment
Risk determination:
Risk = likelihood * value risk percentage +
uncertainty
Example:
Asset A has vulnerability score 50
Number of vulnerabilities 1
Likelihood value 1 with no controls
Data are 90% accurate
Hence, Risk = 1 * 50 0% + 10%
= 50 + 10% of (1 * 50) = 50 + 5 = 55
Risk Assessment
Example:
Asset B has vulnerability score 100
Number of vulnerabilities 2
Likelihood value 0.5 for 1
st
vulnerability which
addresses 50% of risk
Data are 80% accurate
Hence, Risk = 0.5 * 100 50% + 20%
= 50 (50% of 50) + (20% of 50)
= 50 25 + 10
= 35
Risk Assessment
Example:
Asset B has vulnerability score 100
Number of vulnerabilities 2
Likelihood value 0.1 for 2
nd
vulnerability with no
controls
Data are 80% accurate
Hence, Risk = 0.1 * 100 0% + 20%
= 10 0 + (20% of 10)
= 10 + 2
= 12
Risk Assessment
The generic risks to the business are:
Loss of key assets
Information
the network
skilled people
Disruption of key processes
Revenue
regulatory reporting
Risk Factors
Assess risk based on these factors:
Impact Size
Rate of Change
Business Impact
Complexity
Recoverability
Value
Management Team Focus
Definitions
Civil law addresses violations of rules that
result in monetary loss as well as other forms
of damage caused to individuals or
organizations
Criminal law addresses violations that are
harmful to society
Tort law addresses violations by individuals
that result in personal, physical, or financial
injury to an individual
Private law regulates relationships between
an individual and an organization
Public law regulates relationships between
citizens
Definitions
Ethics is defined as socially acceptable
behavior
Code of conduct is a set of rules that an
organization defines as acceptable

Laws governing Information
Security
Computer Security Act
Communications Assistance to Law
Enforcement Act
Computer Fraud and Abuse Act
USA PATRIOT Act

Computer Security Act
Passed in 1987. Official designation PL100-235
Law gave NIST the authority over unclassified
non-military government computer systems
NSA originally had this power
Main goals:
Develop policies for federal agencies concerning
computer security
Develop procedures to identify vulnerabilities in
computer security
Computer Security Act
Provide mandatory security awareness
training to all federal employees dealing
with sensitive information
Identify all computer systems that contain
sensitive information

CALEA
Passed in 1994
Works in conjunction with FCC regulations
Telephone companies to include hardware to
their switches that will facilitate tapping of
conversations by law enforcement agencies
Telcos are not responsible for decrypting any
intercepted communication
Telcos will be provided reasonable
compensation for the addition of interception
hardware to switches
Computer Fraud and Abuse
Act
Originally passed in 1994 and amended in 1996
PATRIOT Act amends this act further
CFAAs main provisions relate to the following:
having knowingly accessed a computer without
authorization
intentionally accesses a computer without
authorization
knowingly and with intent to defraud, accesses a
protected computer without authorization
Prison time of up to 10 years is possible for any
violation
If damage caused is below $5,000 then only
criminal penalties apply and no civil penalties
apply
USA PATRIOT Act
Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism
Passed in October 2001
Gives extensive powers to the federal
government to suspend notification provisions
of existing laws
Provides authorization for information search
without knowledge of the individual
Law expires in December 2004, unless
renewed by Congress
Privacy and Ethics
Information privacy
Information privacy laws
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Communications Act of 1996
HIPAA of 1996
Computer Security Act of 1987
USA PATRIOT Act of 2001
Ethical aspects of information handling
Information Privacy
Privacy refers to personally identifiable
information about an individual or an
organization
Privacy does not mean absolute freedom
from observation
Privacy means state of being free from
unsanctioned intrusion
Financial and medical institutions treat
privacy as part of their compliance
requirements
Information is collected by cookies and points
of sale
Information Privacy
Privacy is a risk management issue
Ability to collect information from
multiple sources and combine them in
different ways have resulted in powerful
databases that can shed more light than
previously possible
Information Privacy Laws
Federal Privacy Act of 1974
Requires all government agencies from
protecting the privacy information of
individuals and businesses
Certain agencies have exemption to
release aggregate data
Census Bureau
National Archives
Congress
Comptroller General
Credit agencies
Information Privacy Laws
Electronic Communications Privacy Act
of 1986
Regulates interception of wire, electronic,
and oral communications
Works in conjunction with the Fourth
Amendment providing protection against
unlawful search and seizure
Information Privacy Laws
Communications Act of 1996
Regulates interstate and international
communications
Communications decency was part of this
Act
Information Privacy Laws
Health Insurance Portability and
Accountability Act (HIPAA) of 1996
Protect confidentiality and security of
health care data
Electronic signatures are allowed
Patients have a right to know who have
access to their information and who
accessed it
References
NIST Risk Assessment Guide for
Information Technology Systems, SP 800-
30
Mike Godwin, When copying isnt theft,
www.eff.org/IP/phrack_riggs_neidorf_god
win.article
Michael Whitman, Enemy at the Gates:
Threats to Information Security,
Communications of ACM, 2003
References
Financial institutions:
http://www.fdic.gov/news/news/financial/1999/FIL9968a.
HTML
Risk Assessment Process:
http://www.mc2consulting.com/riskart1.htm
ISACA http://www.isaca.org/
Risk Assessment Guidelines
http://www.gao.gov/special.pubs/ai99139.pdf
Risk Assessment:
http://www.ffiec.gov/ffiecinfobase/booklets/information_s
ecurity/02_info_security_%20risk_asst.htm